The Hacker History Of Alexsey Belan, A Latvian Accused Of Attacking Yahoo For Russian Spies

Security
I cover crime, privacy and security in digital and physical forms.

Alexey Belan is accused of hacking Yahoo. He's already on the FBI's Most Wanted list.Department of Justice

Alexsey Belan is a wily character, if the stories are to be believed.

In 2013, after an arrest warrant was put out by the United States, the auburn-haired, blue-eyed 29-year-old Latvian managed to escape from his hideout in Europe, believed to have been in Greece, sources familiar with the matter told Forbes. That came after American law enforcement called for international assistance in apprehending someone they believed to have carried out attacks on two major e-commerce sites. No one knows exactly how or when he escaped and made it back into the protective arms of Russia.

As a result of his escapades, the FBI put out a $100,000 reward for anyone who could help arrest him. There was also an Interpol Red Notice, demanding his apprehension if he was spotted by law enforcement in any country, whether in one of his journeys to the homeland of Latvia, or his sojourns in the Maldives or Thailand.

Belan was an obvious recruit for Russia's clandestine online operations, according to security experts who've monitored his various web personas, as named on his FBI Most Wanted page: M4G, Magg, Fedyunya and Quarker. From M4G in particular, it appears Belan moved quickly from teenage hijinks to becoming one of the more adept website hackers working across the Russian cybercrime underworld, researchers told Forbes.

Who is Belan?

Belan's alleged monikers were active since at least 2006, when he was aged just 18. From 2007 onwards, the M4G alias associated with Belan was gaining a reputation across hacker forums and comms channels like InsidePro and Zloy, while blogging on his own site, M4G.RU, though archived posts reveal no obvious illicit activity.

But the M4G name is linked to multiple breaches. In his early days, M4G focused on websites related to ICQ communications, said Vitali Kremez, director of research at cybercrime intelligence provider Flashpoint. Those sites included uinshop.com, nomerkov.net and uinzz.com. Another of his targets, lordmancer.ru, was a massively multiplayer game, Kremez added. And a screenshot from a hacking forum on which M4G posted also indicated he'd acquired data from Tjat.com, a cloud computing supplier based in Israel. (The named targets hand't responded to request for comment at the time of publication).

The M4G alias associated with Belan posts on an underground hacking forum about target Tjat.com.Flashpoint

Another source, who wished to remain anonymous, said Belan's alleged personas were also associated with breaches at a number of major sites across Russia and the old Soviet Block. They included Ukrainian entertainment website Bigmir.net, and one of Russia's biggest search engines and web portals Rambler.ru, which admitted to a 2014 breach last year in which records on 98 million accounts were stolen. (Neither company had responded to requests for comment). All of those hacks boosted his reputation in the darker corners of the web, the sources said.

M4G was a collaborative player too, often requesting services to crack hashes of passwords he'd stolen. (Hashes are cryptographic representations of plaintext that can be "cracked" by computers running a large number of guesses at rapid speed, putting each through a hashing algorithm until a match has been found). He's been seen selling credit card data, ICQ accounts he'd hacked, and data from a number of breached forums too, said Kremez.

A post on a hacker forum from M4G, a moniker the DOJ associated with Alexsey Belan. M4G is seen here asking someone to crack passwords he'd acquired.Flashpoint

By 2011, the M4G name had built a reputation as an adept web app hacker, breaching a large number of website, with a specialty in breaching WordPress sites. "He's definitely on the radar of the most sophisticated hackers we’ve seen," said Kremez.

An escape to and from Greece

In 2012 and 2013, U.S. authorities filed indictments against Belan for attacks on three unnamed American e-commerce companies. According to the New York Times, Belan was previously indicted in 2012 for a breach of Amazon-owned shoe retailer Zappos, and in 2013 for attacks on Evernote and Scribd. Sources told Forbes Belan was also linked to hacks of companies in the U.S. online healthcare insurance market.

At that time, Belan was living in Greece, sources familiar with his activities told Forbes, and it's believed that's where he was apprehended in 2013. It's unclear for what specific crime he was arrested, or how he escaped.

By 2014, much of his attention turned to Yahoo, according to the Department of Justice indictment. Far more than co-defendant Karim Baratov, he helped two FSB agents - Dmitry Dokuchaev and Igor Sushchin - acquire access to a large number of Yahoo accounts belonging to targets of interest to Russian intelligence, the DOJ claimed. They included: the former Minister of Economic Development of a country bordering Russia, a diplomat from another bordering nation, an investigative reporter who worked for Russian publication Kommersant Daily, employees of a U.S. cloud storage company, a Nevada gaming official, a senior officer of a major U.S. airline, a managing director of a U.S. private equity firm, and 14 members of staff at a Swiss Bitcoin wallet provider, amongst many others.

Belan was lining his own pockets at the same time, prosecutors alleged, and had one particularly devilish scheme in November 2014 when he manipulated Yahoo search algorithms so that anyone looking for erectile dysfunction treatments would be presented with his own links to an online pharmacy company. That firm would then pay Belan a commission for driving traffic to the site.

From March 2015, he also used his technical finesse honed during those early years to craft access cookies that allowed him into an astonishing 30 million Yahoo accounts, the U.S. said. He then rummaged through victims' contacts to spam them, according to the charges, while also searching for credit card data.

Most Wanted hackers

The only comparable hacker, said Kremez, was another alleged cybercrime kingpin: Evgeniy Bogachev. He's believed to have the protection of the Russian government too. Despite being accused of running a massive malware operation that caused as much as $100 million in damage to U.S. organizations, he continues to live out his days as a free man in a town near the Black Sea, according to law enforcement officials and security companies with knowledge of his activities.

Both Bogachev and Belan were on the list of President Obama's sanctions following the hacks of the Democratic National Committee (DNC) and multiple other organizations involved in the 2016 election, allegedly sponsored by the Kremlin. As reported by Forbes in 2015, Bogachev was also associated with Russian cyberespionage activity focused on the U.S., Georgia and Ukraine.

Evgeniy Bogachev is one of the FBI's Most Wanted and found his way onto American sanctions of Russian individuals and entities following the U.S. election hacks of 2016.Department of Justice

No one is telling where Belan might be enjoying the good life. According to the DoJ indictment released last week, he's receiving intelligence from the FSB that's helping him avoid the watchful eyes of Western agencies.

I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist ...